The Corollary to Hoff's Law

“Security” concerns continue to top every cloud computing related survey. This could be because, well, CIOs and organizations in general are concerned about security. It could be because the broader question of control over the infrastructure – including security – is never proffered as a reason for reluctance to jump into the fray known as cloud computing.

Forty-nine percent of survey respondents from enterprises and 51 percent from small and medium-size businesses cited security and privacy concerns as their top reason for not using cloud computing. – Survey: Security Concerns Hinder Cloud Computing Adoption, NetCentric Security, December 2009

According to Forrester Research’s Cloud Computing study 2009, about 44 per cent of large enterprises are interested in building an internal cloud. “Enterprises are more attracted to private cloud compared to public, due to security concerns about mission critical applications and data,” Kumar [Sushil Kumar, Oracle’s vice president of Product Strategy and Business Development System Management Product Group] noted. -- And finally Oracle is on Cloud

Interestingly, IDC’s latest Cloud Survey (December 2009) actually seems to show that broader “control” issues are coming to light. 76% of respondents indicated that “not enough ability to customise” was a challenge in their quest to adopt cloud computing models.

Visibility, while also a concern, can also be a side-effect of control. If you have control over the infrastructure you also have visibility. It could be argued that providers could enable the means by which customers could have visibility into infrastructure, especially the network, by exposing reporting but the truth is most network infrastructure solutions are not capable of providing the isolation of data required (they are not inherently mutli-tenant) and thus it’s not as easy as it might sound.

IT’S NOT ALL PUPPIES and RAINBOWS

Whether the primary concern regarding cloud computing is “security” or “visibility” or “any form of performance/availability guarantee, a.k.a. SLA”, the larger, more encompassing oncern is directly about control.

Organizations want and need to control (among other infrastructure services):

access to application and data

rate of inbound requests (prevention of accidental or intentional DDoS)

inbound content (defense against exploitation)

outbound content (stop data leaks)

architecture, to ensure the proper security and application delivery mechanisms that support all of the above are in place

The problem is that “cloud” doesn’t really allow much of this control at all. Not yet. That means that there is a corollary to Hoff’s Law* which states: “If your security practices suck in the physical realm, you’ll be delighted by the surprising lack of change when you move to Cloud.” That corollary is “If your security practices don’t suck in the physical realm, you’ll be concerned by the inability to continue that practice when you move to Cloud.”

Even if an organization has – and executes upon – a good security strategy that does not mean that they’ll be able to carry all of their related tactical implementations into the cloud. Certainly if the organization is looking at IaaS (Infrastructure as a Service) and many of those tactical implementations are software or virtual appliances they will be able to carry those into the cloud with them. But if the tactical implementations are not in a form-factor deployable in the target environment, well, the organization is out of luck.

Security practices manifest themselves in most cases as the implementation of a solution. Whether that’s using SSL or a web application firewall to secure a web application, or a DLP (data leak prevention) solution to prevent customer data loss, or fine grained application access controls via an external identity store – it’s still a physical manifestation that needs either to be transportable to the cloud environment or the provider should offer similarly capable services. The organization must, in other words, be capable of customizing their deployment in the cloud computing environment to meet their various needs of scalability (mostly covered today), security, and performance. It’s the latter two that aren’t readily available today and where providers need to focus next.

To be fair to providers, vendors need to recognize the need for these solutions in the cloud and provide one of two things - ideally both:

A virtual appliance (if it is a solution for which this form factor makes sense)

Too many cloud cheerleaders seem overly dismissive of the concerns organizations have. Whether the concerns are real (many are) or simply perceived (some are) as a problem is irrelevant: the customer is speaking to you and they are saying they are concerned. That may be inhibiting adoption, therefore such concerns should be addressed by providers if they are to convince customers to sign on.

One would hope that providers would choose to address those concerns through service offerings or expanded partnerships with solutions’ vendors, but it could be as simple as being more transparent and open about their own security practices and the tactical solutions the provider is using to secure its infrastructure. Hoff and some extremely talented folks have started up CloudAudit.org in an attempt to forward a model and ultimately an API that would provide customer access to just this type of information. That’s certainly a step in the right direction. The bigger question, however, is whether providers who have been reluctant to provide any visibility into their infrastructure and security practices thus far will be willing to implement and support an effort like CloudAudit once it’s complete.

Conversely, we need to stop portraying cloud computing environments as though they are sieves. Providers certainly do have security measures in place, whether we know what they are or not. It’s not as if they’re running out of a basement, after all, and they understand the need for security not just for their customers, but to protect their own infrastructure and investments. In that respect Hoff’s Law holds true: the security of applications you place in the cloud has just as much to do with your security practices as it does the providers’.

Related Stories

Lori MacVittie is responsible for education and evangelism of application services available across F5’s entire product suite. Her role includes authorship of technical materials and participation in a number of community-based forums and industry standards organizations, among other efforts. MacVittie has extensive programming experience as an application architect, as well as network and systems development and administration expertise. Prior to joining F5, MacVittie was an award-winning Senior Technology Editor at Network Computing Magazine, where she conducted product research and evaluation focused on integration with application and network architectures, and authored articles on a variety of topics aimed at IT professionals. Her most recent area of focus included SOA-related products and architectures. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University.

Virtual Application Appliances (VAA) decouple an application from the operating system (OS) and its underlying infrastructure. The resultant virtual application appliance contains an application with its dependencies, but with zero operating system (zeOS) component. The aim of VAAs is to enable enterprises to provision server based applications to any machine in the data center in a matter of seconds or move an application from the data center to the cloud (D2C).

Cloud Expo

Cloud Computing & All That
It Touches In One Location Cloud Computing - Big Data - Internet of Things
SDDC - WebRTC - DevOps
Cloud computing is become a norm within enterprise IT.

The competition among public cloud providers is red hot, private cloud continues to grab increasing shares of IT budgets, and hybrid cloud strategies are beginning to conquer the enterprise IT world.

Big Data is driving dramatic leaps in resource requirements and capabilities, and now the Internet of Things promises an exponential leap in the size of the Internet and Worldwide Web.

The world of SDX now encompasses Software-Defined Data Centers (SDDCs) as the technology world prepares for the Zettabyte Age.

Add the key topics of WebRTC and DevOps into the mix, and you have three days of pure cloud computing that you simply cannot miss.

Delegates will leave Cloud Expo with dramatically increased understanding the entire scope of the entire cloud computing spectrum from storage to security.

Cloud Expo - the world's most established event - offers a vast selection of 130+ technical and strategic Industry Keynotes, General Sessions, Breakout Sessions, and signature Power Panels. The exhibition floor features 100+ exhibitors offering specific solutions and comprehensive strategies. The floor also features two Demo Theaters that give delegates the opportunity to get even closer to the technology they want to see and the people who offer it.

Attend Cloud Expo. Craft your own custom experience. Learn the latest from the world's best technologists. Find the vendors you want and put them to the test.